To ensure that data is encrypted while in use by the virtual machines (VMs) and enforce this policy across your organization, you should use Confidential VM instances. Here are the steps:
Enable Confidential VM:
Ensure that Confidential VMs are available in your selected regions and enabled for your project.
Set Organization Policy:
Implement an organization policy to enforce the use of Confidential VM instances for all VMs across your organization.
Use the Google Cloud Console or the gcloud command-line tool to set this policy. Example command:
gcloud resource-manager org-policies set-policy my_policy.yaml
Example my_policy.yaml:
name: organizations/1234567890/policies/compute.requireConfidentialCompute spec: rules: - enforce: true
Verify and Monitor:
Ensure that all newly created VMs across your organization are Confidential VMs.
Regularly monitor compliance through the Google Cloud Console and set up alerts if non-compliant VMs are created.
Benefits:
Data Encryption in Use: Confidential VMs ensure that data is encrypted not just at rest and in transit but also while in use.
Policy Enforcement: Organization policies provide a way to enforce security configurations across all projects under your organization.
References
Confidential Computing Documentation
Creating and Managing Organization Policies
